Page 204 - Cyber Defense eMagazine June 2024
P. 204

Vulnerability Management

            Clear and comprehensive policies and procedures regarding vulnerability management  must now be
            documented. These should include preventative procedures like internal and external penetration testing,
            frequent system scans for vulnerabilities, and timely addressing of those vulnerabilities once identified
            by security controls planned or in place. These assessments must be updated annually, or whenever
            there is a change to the business or its utilized technology that impacts the institution’s risk.




            Data Protections

            Speaking of preventative measures, the new regulation is more specific about the kinds of basic security
            measures required of all financial institutions. For example, access privileges must be strictly enforced,
            with  certain  data  considered  “privileged”  based  on  security  risk.  Privileged  information  should  be
            safeguarded with password protection or user access permits that are evaluated and updated annually
            or when there is a personnel departure.

            Multi-factor authentication is another expectation that even covers those technically “exempt” from the
            new regulations. This standard should be applied to all privileged data, as well as in cases of remote
            access to the entity’s own information systems or that of third-party applications. Encryption is another
            tool deemed acceptable and recommended by regulatory bodies.



            Incident Response


            Unfortunately, even the best laid plans can fail, especially in the everchanging digital world we now live
            in. Due to this, 23 NYCRR Part 500 lays out clear expectations on how entities must prepare and respond
            to a cybersecurity event or incident. Under the new guidance, financial institutions are required to develop
            thorough, documented response plans that highlight goals, root cause analysis procedures, and internal
            processes to follow in the event of a cyber breach. Disaster recovery and business continuity plans should
            also include data backup procedures and recovery approaches, and once finalized, be distributed to all
            employees and tested regularly.


            After a breach occurs, entities are required to notify the New York State Department of Financial Services
            within 72 hours – or 24 hours in cases of extortion payments  – providing all relevant and requested
            documentation.  Entities,  and  more  specifically,  the  CISO,  must  also  proactively  provide  written
            acknowledgment if they did NOT comply with regulatory requirements regarding the incident, and share
            a remediation plan.



            Monitoring and Training

            Human error poses the biggest risk to not only the cybersecurity of an entity, but in the maintenance of
            compliance. To avoid the consequences of human error, financial institutions must take necessary steps
            to block malicious content on devices, monitor web traffic, and implement other risk-based controls.




            Cyber Defense eMagazine – June 2024 Edition                                                                                                                                                                                                          204
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   199   200   201   202   203   204   205   206   207   208   209